- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add new Lookup?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to add new Lookup?
I am working to leverage the below query for 'Stale Account Usage' from Splunk Security Essentials Docs, which uses lookup "account_status_tracker".
The 'How to Implement' guidance includes: "The only step you'll need to take is to create a lookup called account_status_tracker, and have authentication data in Common Information Model format. "
From the "Add New" lookup webpage, it is not clear how I assign an appropriate "Lookup File" that will the necessary fields in CIM format. I have looked through Splunk docs and other likely resources, with no strong hits. I admit this is an area new to me.
My question is: what steps do I need to take to define this lookup, including assigning an appropriate "Lookup File"? When I select existing authentication-related files as the "Lookup File", I receive error messages, for example: "Cannot find the destination field 'count' in the lookup table...
And leads greatly appreciated.
index=* source="*WinEventLog:Security" action=success
| stats count min(_time) as earliest max(_time) as latest by user
| multireport
[| stats values(*) as * by user
| lookup account_status_tracker user OUTPUT count as prior_count earliest as prior_earliest latest as prior_latest
| where prior_latest < relative_time(now(), "-90d")
| eval explanation="The last login from this user was " . (round( (earliest-prior_latest) / 3600/24, 2) ) . " days ago."
| convert ctime(earliest) ctime(latest) ctime(prior_earliest) ctime(prior_latest) ]
[| inputlookup append=t account_status_tracker
| stats min(earliest) as earliest max(latest) as latest sum(count) as count by user
| outputlookup account_status_tracker
| where this_only_exists_to_update_the_lookup='so we will make sure there are no results']
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Usually, the first step to adding a lookup is to put a CSV file on the server in one of Splunk's 'lookups' directories. Then use the GUI to reference that file.
You also can use the Lookup File Editor app to create a new lookup file from the GUI.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway: Thank you. After reading the guidance, "The only step you'll need to take is to create a lookup called account_status_tracker, and have authentication data in CIM format" I grabbed the current authentication CIM (Authentication - Splunk Documentation), but then held off on pushing to create the lookup. For example, I noticed that while the lookup will attempt to OUTPUT field "count", the authentication CIM does not include a "count" field. So, I was just taking a step back and seeing if there is any other information needed to best implement this solution.
Again, thank you.
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
Preparing your Splunk Environment for OpenSSL3
Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector
